Meta Box

Google reCaptcha V3 - Backend Verification?

Support MB User Profile Google reCaptcha V3 - Backend Verification?

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • August 20, 2025 at 6:36 PM #48780
    CodogCodog
    Participant

    Hi There,
    I use the MB User Profile Login & Registration forms on a site. I also use Google ReCaptcha V3 on these forms to mitigate against bots. My Site Key and Secret Key are defined as constants in my wp-config.php and called as variables to the shortcode forms. There are no errors present in my debug.log or Console relating to this setup. All has been working fine for a number of months. However, I have recently received an email from my Google Cloud Console stating....

    ..." You aren't protected.
    We have seen 33 unprotected events from your site because your setup is incomplete. It's likely that you have missed the step: verify the reCAPTCHA token, because reCAPTCHA has not received any token verification requests from your site backend. Please return to your reCAPTCHA console now for a step-by-step guide that will walk you through the final steps."....

    I assumed that the backend verification was handled by your plugin?

    What might be the likely causes of this warning?

    Cheers

    August 20, 2025 at 7:14 PM #48781
    CodogCodog
    Participant

    .... Q) Does the MB AIO plugin support ReCaptcha on MB User Profile Login Forms? When adding some debug logging to verify reCaptcha requests on the login form... I get nothing. On the Registration Form I see the reCaptcha request.

    Can you confirm?

    Cheers

    August 21, 2025 at 8:59 PM #48796
    PeterPeter
    Moderator

    Hello Leo,

    Thanks for reaching out.

    Yes, the plugin MB AIO supports reCaptcha on the user profile forms. Can you please let me know how you add the key to the form? And share the page URL where you display the form, I will help you check the issue.

    August 21, 2025 at 9:23 PM #48799
    CodogCodog
    Participant

    Hi Peter,
    thanks for getting back to me and confirming. So to clarify how the keys are added:

    // Google reCAPTCHA keys
$login_site_key = defined('GRC_LOGIN_SITE_KEY') ? GRC_LOGIN_SITE_KEY : ''; 
$login_secret_key = defined('GRC_LOGIN_SECRET_KEY') ? GRC_LOGIN_SECRET_KEY : '';

// Login Shortcode
echo do_shortcode('[mb_user_profile_login label_username="Email" label_title="Login" ajax="true" value_remember="true" recaptcha_key="'.$login_site_key.'" recaptcha_secret="'.$login_secret_key.'" redirect="'.$return_url.'"]');

    I use the same methodology on other MB User Profile Forms. I have also double checked and verified the login keys are correct.

    Page where login can be viewed: https://wordpress.build/client-login/

    I look forward to your feedback.

    Cheers

    I ha

    August 22, 2025 at 9:30 PM #48808
    PeterPeter
    Moderator

    Hello,

    I check your client login page and see the reCaptcha is working well, don't see any issues with it. Can you please contact Google reCaptcha support and ask them to provide more information?

    August 29, 2025 at 8:27 PM #48861
    CodogCodog
    Participant

    Well, agreed! Thats what I thought. I will attempt to contact them... but I don't expect a reply.

    September 20, 2025 at 9:00 PM #49025
    CodogCodog
    Participant

    Hi Peter,
    When you say ..."reCaptcha is working well, don't see any issues with it"... I do not believe you are correct. I am still repeatedly being sent "You aren't protected" emails from my Google Cloud Console. Although the V3 reCaptcha badge is visibly displayed in my login page, the response token is never generated and validated with the API. I have checked this in my Google Cloud Console and in the Google Chrome network tab.

    Google cloud console clearly shows that all is well with all my other Metabox related reCaptchas (Registration and contact forms) but the login form states "unprotected".

    Can you please run a check and test on your own demo site. To me it looks like the reCaptcha is broken on the MB User Profile Login.

    I look forward to your response.

    Thanks!

    September 23, 2025 at 10:27 PM #49031
    PeterPeter
    Moderator

    Hello,

    The token on your login page is generated properly, please check this screen record https://drive.google.com/file/d/198vV2sNPgC6ye83hbOeBmFpjppJU9eSF/view?usp=sharing

    I also setup a test site on TasteWP to double-check the issue and still don't see it, screenshots https://imgur.com/a/LbQb77U
    Here is the page with the user login form https://understoodvolleyball.s6-tastewp.com/mb-login-page/

    You can login to the test site with this info
    https://understoodvolleyball.s6-tastewp.com/wp-admin
    Username: admin 
    Password: BLp957P9nyA

    Note: it will expire in 2 days.

    September 24, 2025 at 12:38 AM #49036
    CodogCodog
    Participant

    Hi Peter,
    thanks for taking the time to check and validate this issue. In response to your points....

    You: The token on your login page is generated properly, please check this screen record
    Yup!, thats the token alright. So brief that I must have missed it the first time I looked. Apologies!

    You: I also setup a test site on TasteWP to double-check the issue and still don't see it, screenshots
    Thanks, I looked at that and yes working fine, as is my own implementation of the login form. I also see valid results for my login form at: https://www.google.com/recaptcha/admin

    However, when in the Google Cloud Console I see this for my "Login Form": https://imgur.com/a/kHXkaWW Do you see the same in your Google Cloud Console for your login form? This is why I am getting repeated emails from Google stating that I am unprotected here - I really don't get it? Other MB forms here state "Protected".

    Cheers

    September 24, 2025 at 10:58 PM #49042
    PeterPeter
    Moderator

    Hello,

    I'm not sure how other user profile forms state "Protected" in the Cloud Console. After searching around, here is my understanding of the reCaptcha key:

    You are looking at two different dashboards.

    - Admin console (recaptcha/admin): shows traffic for Classic reCAPTCHA v2/v3 keys (the ones you registered at google.com/recaptcha).

    - Google Cloud Console (security/recaptcha): shows metrics/logs only for reCAPTCHA in Google Cloud (reCAPTCHA Enterprise tiers) keys that live in a Cloud project. Classic keys don’t populate this dashboard.

    However, let me ask the development team to recheck it and I will get back to you when I have more information.

    September 24, 2025 at 11:24 PM #49043
    CodogCodog
    Participant

    Hi Peter,
    thanks for getting back to me. In response....

    You - Admin console (recaptcha/admin): shows traffic for Classic reCAPTCHA v2/v3 keys (the ones you registered at google.com/recaptcha).

    I believe this "Classic" Re-Captcha Admin Console is being retired soon in favour of the Google Cloud Console reCaptcha admin where all reCaptchas will be managed going forwards. All of my reCaptcha Keys have already been migrated to the Cloud Console. I have x 4 MB Forms with Keys. Only the "login" form is showing as unprotected.

    When hovering over the "Unprotected" it states "To fully protect your site or app, finish setting up your key. Your key is requesting tokens (executes), but isn't requesting scores (assessments)."

    It would be great to hear what your development team have to say about this issue!

    Thanks again 🙂

  • Author
    Posts
Viewing 11 posts - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.